chux0r / netbang Goto Github PK

2.0 1.0 1.0 234 KB

Scrappy scanner written in Go. Exploring the relevance of "scanning" in the new realm, what redteams need, and what methods can get us what we need quickly and, if at all possible, silently.

Home Page: https://github.com/chux0r/netbang

License: GNU General Public License v2.0

Go 93.27% Shell 3.99% PowerShell 2.74%

cybersecurity fast golang hacktoberfest interrogator network-analysis scanner stealth boom dynamite

netbang's Introduction

netbang

Scrappy endpoint and network interrogator/wringer-outer written in Go.

Rationale

Origin thought: Let's test what Go concurrency might do for network scanning". (As it turns out, all kinds of good performance stuff)
Evolved thought 1: "Let's use this to stretch out everything I know about Go, programming, cybersecurity, and networking." NOTE: Go was my COVID "let's learn a new language" language.
Evolved thought 2: "How relevant is "scanning" these days? How is the landscape and task different than they were in 1999? 2007? 2016? What are new limitations and contextual factors of scanning? What methods need to die? Which methods need to emerge and mature?"
Evolved thought 3: "Having explored all that, what should I implement in netbang to make it more relevant and useful today?"

Initial factors

Resource management (time, process cycles, bandwidth, etc- but mostly time) in the face of:
- The vastness of ipv6: networks with vanishingly few realistic limits anymore; There are increasingly so many things, we can't realistically plan to scan just every-fuckin-thing A-Z anymore. We'll never have enough time (ever).
Stealth
- Banging away is noisy. It's easy for NG firewalls and endpoints to detect "scanning activity". What methods are quieter? For which outcomes/tasks does "banging" away still make sense? Which tasks need something different, or quieter, or "no touch?" approaches. What recon methods/TTPs would we devise? Is is still "banging" if we don't bang? =) NOTE: I've decided: "YES, DEFINITELY." The best bang is no bang at all. Quote me on that.

Features-and-decision-steering ideas

It's always about getting information, not necessarily about poking everything in the fucking eye.
- The best, stealthiest, most valuable scanning info might be achieved by not scanning. This is Zen asf. Oh yeah
- Use data sources and APIs like Shodan to gather; prioritize this approach before thinking about banging away on the 'net.
To address the "not enough time in my lifetime to scan every address" problem, try what anthropologists and other survey-based researchers have known for a long time:
- We can't dig everything and sift through it. We have neither the time nor the money.
- Use avaliable intelligence and artifacts to determine roughly where you think you'll find stuff worth finding.
- Maximize limited resources at hand by performing stratified random sampling in those places

Env: go version go1.20.3 linux/amd64
Build using: "go build *."

AUTHOR: Chuck Geigner "chux0r"
ORG: Megaohm.net Vive la resistance!
Copyright © 2023,2024 CT Geigner, All rights reserved.
Free to use under GNU GPL v2, see https://github/chux0r/netscanx/LICENSE.md

netbang's People

Contributors

Stargazers

Watchers

Forkers

ayz210

netbang's Issues

MVP feature :: Concurrent scanning

Build and test goroutine concurrency structures, functions, and methods to use in all multi-host scanning contexts.
Go routines
Channel i/o brokers

Create build-test script for linux/bash

Time to put some consistency in the mofo. Need os/arch, version, build, and one or more function-exercise-and-measure executions for each function.

Pretty output/output to file

Build and test scan output formats and functions for screen and file i/o

tcp/udp --portsfile does not seem to work. ALSO: UDP defaults to TCP list

It uses the default list. In fact, looks like it's using the default port list for TCP.

echo "53,161,10000" > ./ports.tmp && ./netbang --proto udp --portsfile ./ports.tmp -t 500 127.0.0.1 && rm ./ports.tmp

Bang target: [127.0.0.1], Portcount: [65]

UDP portbangers unleashed...💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀💀
Jobs run: 65
127.0.0.1 Scan Results

(ports used in this job: =====
8443]
20] -
21] -
22] -
23] -
25] -
43] -
53] -
67] -
68] -
69] -
79] -
80] -
989]
111]
113]
119]
135]
137]
139]
143]
177]
179]
389]
443]
445]
464]
512]
513]
514]
515]
546]
547]
587]
593]
636]
853]
873]
2484]
990]
993]
995]
1270]
1337]
1433]
1434]
1521]
2222]
2323]
2375]
2483]
5432]
3306]
3333]
3389]
110]
5060]
5800]
5900]
8008]
8080]
8081]
8088]
88] -
5061

MVP feature :: DNS/hostname resolution

Build and test func/method to recognize and resolve hostnames, then return the address(es) (ipv4 for MVP)

Half-open scan SYN-> SYN<-ACK (TCP flagmuck mvp)

Build TCP packet generator capable of performing: TCP half-open (SYN) scan, FIN scan, ACK scan, XMAS scan (flag mayhem)
Add these scan options to TCP scanning
report gen to STDOUT

Raw IP socket tool + TCP flag mayhem/custom scan constructor

Build raw IP socket / packet module.

ICMP scanning / packet gen & send

ICMP scanning module w/ useful options

$go test . -> "flag provided but not defined: -test.testlogfile" [netbang_test.go]

setup in init() possibly playing havoc with "go test" unit testing

in version 0.24 alpha --ports spec flag still scans a named list (win_test list) when single port specified

Dev artifact made it to prod?

PS > .\netscanx.exe --ports 3389 127.0.0.1
ParsePortsCDL input string:  3389

Item: 3389

Num character is 9 times 1 (x10^0), totaling 9
Num character is 8 times 10 (x10^1), totaling 89
Num character is 3 times 100 (x10^2), totaling 389
Num character is 3 times 1000 (x10^3), totaling 3389Strings slice:  []
uint16 slice: [3389]Ports specified:  [3389] List specified:  []
tcpScan [127.0.0.1:137] :: Error: [tcpScan [127.0.0.1:623] :: Success!
tcpScan [127.0.0.1:445] :: Success!
tcpScan [127.0.0.1:5040] :: Success!
tcpScan [127.0.0.1:3389] :: Success!
tcpScan [127.0.0.1:5985] :: Success!
tcpScan [127.0.0.1:135] :: Success!
dial tcp 127.0.0.1:137: connectex: An attempt was made to access a socket in a way forbidden by its access permissions.]
tcpScan [127.0.0.1:139] :: Error: [tcpScan [127.0.0.1:8000] :: Error: [dial tcp 127.0.0.1:139: connectex: No connection could be made because the target machine actively refused it.]
dial tcp 127.0.0.1:8000: connectex: No connection could be made because the target machine actively refused it.]tcpScan [127.0.0.1:9999] :: Error: [dial tcp 127.0.0.1:9999: connectex: No connection could be made because the 
target machine actively refused it.]

DNS recon MVP

Write an MVP set of dns tools a user can use to:

Perform hostname->IPs lookup
Perform IP->hostname (reverse) lookup

change the resolver in use, by IP:port

MVP feature :: Hostname-IP-target specification

Build and test a method to enable users to specify hosts by name or IP

default timeout on UDP scanning can make scan hang very long

Testing on updates for v0.43 reminded that udp scan will hang there for way too long (killed after 1 min, 4 ports out of "udp_short" default complete).

Do more testing on UDP scan to document default timeout and how long scans take, baseline on scanme.org
Set a more reasonable default timeout for UDP scanning
- If the operater wants accuracy, do they have to let everything wait until they timeout? Or is there a threashold where anyone may reasonably assume the thing ain't going to respond? Answer this

Goroutine runtime error: index out of range in main.go

[Running] go run "netscanx\main.go"
panic: runtime error: index out of range [0] with length 0

goroutine 1 [running]:
main.main()
netscanx/main.go:96 +0xcf9
exit status 2

[Done] exited with code=1 in 2.067 seconds

MVP feature :: TCP scanning

Build and test:
TCP Connect
TCP Half-open
TCP full-open
TCP close
TCP connection error collection/handling
TCP session error collection/handling
Response collection

refactor/modularize code not needed in package main

Too much crap is in main. move to local module includes

MVP feature :: CLI switch parsing

Build and test a method to be used on the CLI that will parse CLI switches given between argv[0] and argv[last] (target IP/hostname(s))

WHOIS data recon MVP

add whois method to netbang recon

Scanning mode: IP/network range sampling engine (linear rand, stratified, stratified rand)

A-Z whole-net scanning is not a realistic strategy for teams needing to enumerate or locate things within very large address spaces, especially ipv6. Stratified random sampling has been useful for researchers in other fields (hello anthropologists!) also dealing with the need to use limited resources to maximize the location of the most significant artifacts. Most are dealing with a limitation on time and funding. We are as well.

To get the best results possible from stratified random target scanning, it will also be important to adjust targeting using things we know, or at least guess intelligently: about the space, customs, protocols, patterns observed, and other knowns to tighten up testing. For instance, we know the first and last addresses of a network are the network and broadcast addresses, respectively. We also can make a decent guess that network routing devices are likely to be found on the first or last host-addressable IP addresses. Knowing that hosts are more likely to have adjacency might give rise to a method that interrogates neighboring IPs once we locate a host. And so on.

Just like anthropologists on a dig with limited research dollars who gather intelligence from other researchers, info gathered from locals in an area, topographical maps, satellite photography, aerial photos, and past results, so should we use available intel to adjust our stratified random sampling.

PORTLIST: Read named standard lists from configuration file

Key features:

Input: netscanx ports.conf file
Processing:
format is <whitespace?>PORTNUM(INT32)DESCRIPTION
(DESCRIPTION can include multiple whitespaces)
Use as record separator
parse file
ignore everything after comments "#"
ignore any/all whitespace at beginning of records
ignore empty lines
error out if there are lines where PORTNUM is not a valid uint32 value
Output: Return a slice of uint32

See Ports.md for example.
Standard configs are
tcp_short
tcp_extra
udp_short

(NOTE, there is no "tcp_long", at least in the config. We build it on the fly as "tcp_short+tcp_extra"

mongoose@thoughtcrime:~/workbench/dev/golang/netbang$ ./netbang -p 80,8urr1to-,111,10000,80000 --debug scanme.org
DEBUG: buildPortsList(): Process input [ 80,8urr1to-,111,10000,80000 ] with parsePortsCdl()
DEBUG: parsePortsCDL(): parsing " 80,8urr1to-,111,10000,80000 "
DEBUG: parsePortsCDL(): Evaluating item [ 80 ]
DEBUG: parsePortsCDL(): Item [ 80 ] is a number [ 80 ]. Appended. Current port slice [ [80] ]
DEBUG: parsePortsCDL(): Evaluating item [ 8urr1to- ]
DEBUG: parsePortsCDL(): [ 8urr1to- ] result: NAN
DEBUG: parsePortsCDL(): [ 8urr1to- ] is possibly a port range.
DEBUG: ArgsToPortRange. Result: RANGE[ 0 ]:[ 0 ]
DEBUG: parsePortsCDL(): Evaluating item [ 111 ]
DEBUG: parsePortsCDL(): Item [ 111 ] is a number [ 111 ]. Appended. Current port slice [ [80 111] ]
DEBUG: parsePortsCDL(): Evaluating item [ 10000 ]
DEBUG: parsePortsCDL(): Item [ 10000 ] is a number [ 10000 ]. Appended. Current port slice [ [80 111 10000] ]
DEBUG: parsePortsCDL(): Evaluating item [ 80000 ]
DEBUG: parsePortsCDL(): Item [ 80000 ] is a number [ 80000 ]. Appended. Current port slice [ [80 111 10000 14464] ]

DEBUG: parsePortsCdl() Port range def string:  80,8urr1to-,111,10000,80000

DEBUG: parsePortsCdl() RETURN-> Named portlist strings slice:  []

DEBUG: parsePortsCdl() RETURN-> Uint16 ports slice:  [80 111 10000 14464]
DEBUG: buildPortsList(): Adding [ [80 111 10000 14464] ] to ThisScan...Portlist.
DEBUG: buildPortsList(): Resulting PortList [ [80 111 10000 14464] ]

Bang target: [scanme.org], Portcount: [4]
=====================================================
TCP portbangers unleashed...😎💀💀💀
Jobs run: 4
scanme.org Scan Results
================================================================================
[scanme.org:80] -->     [😎] OPEN
[scanme.org:10000] -->  [💀] ERROR: dial tcp 45.33.32.156:10000: connect: connection refused
[scanme.org:14464] -->  [💀] ERROR: dial tcp 45.33.32.156:14464: connect: connection refused
[scanme.org:111] -->    [💀] ERROR: dial tcp 45.33.32.156:111: i/o timeout